[Snort-users] CyberKit 2.2 Ping, its driven me Nuts..

CMartin at ...9696... CMartin at ...9696...
Mon Dec 29 09:37:01 EST 2003


Hey,

My 2 cents.. don't comment the line out.  I'm in the process of upgrading to
snort 2.1.0 and there is a nifty file there called threshold.conf! Now, I
briefly, and I mean briefly, looked into this file, and it appears to be
used for creating alert thresholds so you can still alert on certain items
but then limit the number reported to prevent your database and sensor from
having a heart attack.  

But I wouldn't comment the line out completely.  Then through an update,
uncomment the line.  Then be shocked to see that your network is
experiencing an abnormal alert.

It's good to keep an eye on general network trends like Erwin said.  That
Cyber Ping alert mainly started after the release of the "good fix" virus
someone released to help stop the Blaster virus, but inadvertently gave all
us snorters a HUGE headache with all the Cyber Kit Ping alerts :(

-----Original Message-----
From: Erwin Van de Velde [mailto:erwin.vandevelde at ...10361...] 
Sent: Monday, December 29, 2003 10:21 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] CyberKit 2.2 Ping, its driven me Nuts..

Hi,

Commenting it out will make you bind for internal infections!!!
I don't think it is good to comment it out, just adapt it if you really want

to get rid of the alerts. Otherwise: filtering afterwards on alerts itself. 
This way you will keep statistical information on virus activity, which can 
be nice to show your boss :-)
It's also a good thing to keep an eye on general internet activity and 
commenting all those nasty alerts out isn't the way to do that.

Greetings,
Erwin Van de Velde
Student of Antwerp University
Belgium



On Monday 29 December 2003 17:51, Bryan Irvine wrote:
> I commented that rule out.
>
> On Mon, 2003-12-29 at 10:51, Chris N wrote:
> > Fellow Snorters,
> >
> > Ok, I have had enough of this "CyberKit 2.2 Ping." How are some of you
> > guys dealing with it? Do you just ignore(pass), log every one, or go and
> > try to shut the offending hosts down? Although, trying to shutdown all
> > the offending host could be a daunting task, since there are so dam
many.
> >
> > Chris
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list